Parsing input in to logstash


(Elastic-for-me) #1

I configure snmp to get information from PDU
Run only two get to test, and output is long.

{
"iso.org.dod.internet.private.enterprises.apc.products.hardware.rPDU2.rPDU2Device.rPDU2DeviceConfigTable.rPDU2DeviceConfigEntry.rPDU2DeviceConfigLocation.1" => "Racl 240 TOP",

"@timestamp" => 2019-02-07T21:21:47.493Z,
"iso.org.dod.internet.private.enterprises.apc.products.hardware.rPDU2.rPDU2Device.rPDU2DeviceConfigTable.rPDU2DeviceConfigEntry.rPDU2DeviceConfigName.1" => "DataCenter1-P1-R240T",
"@version" => "1",
}

Ho do I parse this to remove all leading entry like "iso.org.dod.internet.private......." all the way to second last word? like rPDU2DeviceConfigName ?

Something needs to be done in filter section can't figure out which filter to use. as string will be different for each OID that I will get.


#2

This filter

    ruby {
        code => '
            event.to_hash.each { |k, v|
                if k.start_with? "iso.org."
                    newk = k.sub(/.*\.([^\.]+\.[^\.]+)$/, "\\1")
                    event.set(newk, v)
                    event.remove(k)
                end
            }
        '
    }

will reduce those down to

    "rPDU2DeviceConfigName.1" => "DataCenter1-P1-R240T",
"rPDU2DeviceConfigLocation.1" => "Racl 240 TOP",

(Elastic-for-me) #3

Badger, Man you rock. when will I buy you lunch. :slight_smile: :grinning:

Great.


(Elastic-for-me) #4

while we are on this ruby topic
how do I do math on field?
rPDULoadStatusLoad = new value

ruby {
code => "event.set('rPDULoadStatusLoad', event.get('rPDULoadStatusLoad.1')/10"
}
but seems like I am doing something wrong.

I try many different combination with this set and get all gives me error.


#5

If rPDULoadStatusLoad.1 is a string (it shows up with quotes in a rubydebug output) then you will need to .to_f it.

event.set('rPDULoadStatusLoad', event.get('rPDULoadStatusLoad.1').to_f/10

(Elastic-for-me) #6

well this one just worked. LOL
ruby {
code => "event.set('rPDULoadStatusLoad',(event.get('rPDULoadStatusLoad.1')/10))"
}


(Elastic-for-me) #7

I didn't understand or to understand that.
now I have new problem on same parsing.
I have some value that ends with .2 and/or .3 and/or .4

k.sub(/.*.([^.]+.[^.]+)$/, "\1") ---> how is this doing parsing?
how do I tackle that?


(Elastic-for-me) #8

actually it works for any number. I didn't test it thought it will not work.
but will be good to know how?


#9

That says anything (.*) followed by a dot, followed by one or more characters that are not dots, followed by a dot, followed by one or more characters that are not dots, followed by the end of the string. So it matches foo.1, foo.2, or even foo.bar


(Elastic-for-me) #10

so
([^.]+.[^.]+)$ = one or more character that are not dot, dot, one or more char not dot till end of strings

Thanks. got it.